Symantec Access Management

Expand all | Collapse all

Siteminder as SAML IDP. Wrong character in SAML Token

Jump to Best Answer
  • 1.  Siteminder as SAML IDP. Wrong character in SAML Token

    Posted 05-13-2019 02:02 PM

    Hi to All,

    I have Siteminder 12.8sp on Linux Centos 7 with JDK 1.8.0_151 
    I configured siteminder as IDP and I have another system like SP (in this case it's a Netscaler, but I don't think it matters.).  HTTP-POST binding,
    The problem is that the SAML tokens generated by siteminder have "strange" characters in the tags of the signatures and the certificate. These characters are 
  that make me think of the "newline" character.
    I paste the decoded tokens below (I took them from POST, but I verified that I find them also in the smtrace policy server logs).

     

     

    <Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://dev-app.cen.poliziadistato.it/cgi/samlauth" ID="_6cf2b3197405aa0dd55323ba36600c728890" IssueInstant="2019-05-13T07:45:40Z" Version="2.0">


    [cut]

    </ds:SignedInfo> <ds:SignatureValue> I8LUIhLSY40RitYi4b5zTzBMa2Bd0ZFxcTy72poIiVjHcucq7JHrlh0IFSc3a3p5wW7ckRFs0Zrq&#13; 0EZ4nPfzn5Aa1u0XU83h4DDawjR6EmnhWGr3vdYce4BS9Oq68T616O8r+rg9RK0r3WgUXz/fO59K&#13; 5TrrjOm5nBGBjpauCxQ= </ds:SignatureValue>
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> MIIB2DCCAUGgAwIBAgIRAIWG/xsSzTpy85Id3zNga14wDQYJKoZIhvcNAQELBQAwKjEMMAoGA1UE&#13; CgwDQ0VOMQwwCgYDVQQLDANDRU4xDDAKBgNVBAMMA0NFTjAeFw0xNzEyMTQxMTMzNTNaFw0yNzEw&#13; MjMxMDMzNTNaMCoxDDAKBgNVBAoMA0NFTjEMMAoGA1UECwwDQ0VOMQwwCgYDVQQDDANDRU4wgZ8w&#13; DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ1JpmfPkBemEKDbr6495rbHtZ0ym5MYQ6Wqk0USRPxO&#13; +CFMx5gYr7uQsy/44vRT6jSW7cEuiyG0fwidjLATV05zOdcadttEH3M3gMzTxoYuYZSlnmfj2ETY&#13; LftSL7+6FQiqdOjG4SkkvQIGPMC2oH84eJfymSiu81OGEEbjS7nzAgMBAAEwDQYJKoZIhvcNAQEL&#13; BQADgYEAGG7CnEaNy3yuswhGNJ+iF0n2MMlPgoOzKgSMEiCD0XS89bMtuIlibJ8Em3oidhuwXa/C&#13; B86wDhHFPJGg+cXe7K30Qph87EdEEz+THb6DdT5Bntmki6N0kYE8s7OSFHVi6lcpNYcCrnU0fWP5&#13; rmUxRbBV2SRlwXDGIDqZLsy6A7k= </ds:X509Certificate> </ds:X509Data>
    [cut]

     

    I used the same configuration that I have on an older system (Siteminder 12.8sp, JDK 1.80.151 on a different policy store, same certificate) . 
    In the old environment everything works and there are not those characters at the end of each line in the certificate and signature tags. Apparently the configurations are the same. Has it already happened to you? Do you have any suggestions?
    Thanks in advance
    Marco

    p.s. 

     

    in the new enviroment Without Signing I have no error! 



  • 2.  Re: Siteminder as SAML IDP. Wrong character in SAML Token
    Best Answer

    Posted 05-13-2019 11:53 PM

    This is a known issue with 12.8 GA and is fixed in 12.8 SP1 .I strongly recommend to install 12.8SP2 though as there many issues with 12.8 GA and 12.8 SP1

     

    if you still want resolution on 12.8 GA, follow below

     

     1. Download "xmlsec-2.1.2.jar" file from internet.

    2. Shutdown Policy Server

    3. Rename "/bin/endorsed/xmlsec-2.1.0.jar" to xmlsec-2.1.0.jar_backup

    4. Copy "xmlsec-2.1.2.jar" file to "/bin/endorsed/"

    5. Backup "/config/JVMOptions.txt"

    6. Update "/config/JVMOptions.txt" file as below sample.

    a) Updating the file path from pointing to xmlsec-2.1.0.jar to xmlsec-2.1.2.jar

    b) Adding "-Dorg.apache.xml.security.ignoreLineBreaks=true"

    7. Startup Policy Server



  • 3.  Re: Siteminder as SAML IDP. Wrong character in SAML Token

    Posted 05-14-2019 02:02 PM

    I updated to 12.8sp2 and everything works! 
    Thanks!
    Marco



  • 4.  RE: Re: Siteminder as SAML IDP. Wrong character in SAML Token

    Posted 08-10-2019 10:31 AM
    Hi Marco,

    We are trying to implement siteminder as IDP and Netscaler as SP. we are new to this siteminder.

    Could you please help us to share the steps to achieve this requirement?

    How to configure SAML Authentication server on Netscaler. And were i can mention my siteminder IDP Entity ID in Netscaler configuration.

    This is a urgent requirement. Request you to share us the configuration steps details at earliest.

    Reagrds,
    Tamizharasan N
    tamizharasan.n@quadrasystems.net